(1) Field of the Invention
The invention related to the field of security systems for computer networks.
(2) Description of Related Art
The United States and the rest of the world presents a target rich environment for a variety of cyber threats. Rogue hackers (e.g. Anonymous) have created significant disruptions. Criminal organizations have employed botnets and other strategies to engage in massive wealth transfers. And state-affiliated actors have penetrated a number of US entities, including the US Chamber of Commerce, Nortel, and others.
Particularly troubling is the fact that many of the activities have gone undetected for significant periods of time, suggesting that what we have seen is only the tip of the iceberg. Further, while much of this activity has been aimed at achieving political, financial, or diplomatic advantage, there is the troubling possibility of a coordinated attack taking out critical infrastructure in military, industrial, power generation, financial and other critical centers. If a previously prepared attack were coordinated with a significant conventional threat there could be global ramifications.
Per NSA Director Keith Alexander, perhaps a trillion dollars a year is being spent on cyber defense. This has not, however, bought a trillion dollars' worth of confidence in our cyber defenses.
It has proved difficult to bring threatened institutions up to currently recognized levels of best practice, i.e. use of secure passwords, single sign-on, least privilege, multiple firewalls, and so on. And it is far from clear that even current best practice is “best” enough.
Further, the large expenditures themselves represent a kind of failure. The current cyber-attacks represent a strongly asymmetric form of warfare. Individuals and small groups can create extraordinary DDOS attacks with only limited resources. The increasing complexity of software creates an exponential increase in potential points of attack. Increasing sophistication in hacks, e.g. self-assembling viruses, is providing new ways to exploit weakness. And the general sloppiness of the web—together with its use for more and more critical infrastructure—generates what one might euphemistically refer to as a “negative progress situation”.
If attackers can spend small quantities of resource while generating large, expensive, slow, and relatively ineffectual responses, then even a successful response, if expensive enough, may mean a net strategic fail.
If we are to reverse this trend we will need approaches which are:
1. Adaptive
2. Autonomous
3. Automatic
They must be adaptive because the threats are, autonomous because the threats are high frequency and unceasing, and automatic because human response times are too great.
What is desired is something like an immune system for software, where even novel threats are recognized quickly and kick off a well-defined cascade of defensive and prophylactic measures, without conscious attention. Ideally the hyper-caffeinated hackers might spend weeks devising a new line of attack, only to see it flagged as abnormal and countered in milliseconds. The inventors have, ultimately, no objection to asymmetry, and would just like to see the sharp end of the asymmetry pointing in the other direction.
This is a non-trivial problem. Given the significance and difficulty of the problem, sound principles of portfolio management require exploration of a wide variety of approaches.
One approach to this problem is a distributed agent-based model for network security described in U.S. Pat. No. 8,046,835, and incorporated above by reference. As explained further below, this patent describes a distributed multi-agent system for real-time collection, monitoring, aggregation, and modeling of system and network operations, communications, internal and external access, coded execution functions, network and network resource conditions, as well as other assessable criteria. A Bayesian model is used to estimate likelihoods of various threat vectors. The model provides access to the reasoning behind its inferences. It may recommend or in some cases even implement responses to detected threats.
Since the time that the subject matter described in U.S. Pat. No. 8,046,835 was developed, cloud and other technologies have made tests of it significantly more feasible in the last few years. The basic idea is a large number of sensors, aggregators, and other agents monitor an at-risk system looking for anomalies. Bayesian analysis is used to estimate the probabilities that a particular pattern of activity is hostile. In the most sensitive cases, any variation from established baselines might be considered potentially hostile. Many of the agents could live in the secure cloud, keeping them from putting too much of a load on the defended system, letting their activity ramp up quickly when threat levels are higher, and keeping them themselves from being a target.
Since the individual agents are simple, once the overall architecture has been validated, tuning the system to respond to new threats and opportunities should be rapid, being often merely a matter of writing a small agent & telling the system to listen to it. This is analogous to the way “plug-in” modules are currently used to quickly augment the capabilities of browsers, word processors and the like. For example, if software certification authorities become generally available, certification agents could verify firmware and executables against published checksums, at random intervals or when an attack is suspected.
Calibration of the Bayesian model is of course key. Banks of reference systems (i.e. “honey pots”)—some prepared clean, others prepared with known threats present—could be used to tune & validate the model. Use of cloud computing makes it economical to run thousands of tests simultaneously, ideally giving a relatively accurate way to judge under what conditions the model can be allowed to trigger an automated response and when verification by a human operator would be first required.
While the inventors are now focused on the cyber security problem, the original system was meant to be more general in application, with network security, financial, medical, and other applications. The agents can be used to:
1. Establish baselines
2. Identify variations
3. Generate smaller groups of agents to target specific threats (vaccines)
4. Initiate automated responses, as raising firewalls, switching to a spare machine not under attack, and so on
5. Serve as laboratories for developing counter-agents, verifying pre-deployment they will be effective against their intended target with a minimum of collateral damage.
Given that the development of such distributed agent-based models for security modeling and response is now feasible, the next step is develop some reference implementations, to test the ideas in practice. One approach is to work with existing vendors, i.e. Cogility or Blue Canopy, to see how this agent-based system can help automate their existing threat detection approaches. Another is to work with vanilla Linux systems, again with the goal of automating the synthesis of existing monitoring tools into an adaptive, autonomous, and automatic security monitoring and response system. The present invention addresses these needs in the art.